CLAIMS 

What is claimed is: 



1 1 . A system for controlling access of a client to a network resource, the system 

2 comprising: 

3 a network resource that is communicatively coupled to a network; 

4 an authentication server that is communicatively coupled to the network and to the 

5 network firewall routing device and comprising user profile information; 

6 a network firewall routing device that is communicatively coupled to the network and 

7 that is logically interposed between the client and the network resource; 

8 means for creating and storing client authorization information at the network firewall 

9 routing device, based in part on the user profile information, wherein the client 

10 authorization information comprises information indicating whether the client 

11 is authorized to communicate with the network resource and information 

12 indicating what access privileges the client has with respect to the network 

13 resource; 

14 means for receiving a request from the client to communicate with the network 

15 resource; 

1 6 means for determining whether the client is authorized to communicate with the 

17 network resource based on the authorization information; and 

1 8 means for reconfiguring the network firewall routing device to permit the client to 

19 communicate with the network resource only when the client is authorized to 

20 communicate with the network resource based on the authorization 

21 information. 

12. A system as recited in Claim 1, wherein the client authorization information 

2 comprises means in the network firewall routing device for caching client 

3 authorization information for each client that communicates with the network firewall 

4 routing device. 
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13. A system as recited in Claim 1, wherein the client authorization information 

2 comprises an authentication cache in the network firewall routing device for each 

3 client that communicates with the network firewall routing device. 

14. A system as recited in Claim 1, wherein the client authorization information 

2 comprises a plurality of authentication caches, each authentication cache uniquely 

3 associated with one of a plurality of clients that communicate with the network 

4 routing device, each authentication cache comprising information indicating whether 

5 the client is authorized to communicate with the network resource and information 

6 indicating what access privileges the client is authorized to have with respect to the 

7 network resource. 

1 5. A system as recited in Claim 1, wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises means for 

3 matching information in the request identifying the client to information in means for 

4 filtering in the network routing device and to the authorization information stored in 

5 the network firewall routing device. 

1 6. A system as recited in Claim 1, wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises: 

3 means for matching a source IP address of the client in a data packet of the 

4 request to information in a filtering mechanism of the network routing 

5 device; and 

6 means for matching the source IP address to the authorization information 

7 stored in the network firewall routing device if the source IP address 

8 matches the information in the filtering mechanism of the network 

9 routing device. 
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1 7. A system as recited in Claim 1, wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises: 

3 means for matching a source IP address of the client in a data packet of the 

4 request to information in a means for filtering in the network routing 

5 device; 

6 means for matching the source IP address to the authorization information 

7 stored in the network firewall routing device if the source IP address 

8 matches the information in the filtering mechanism of the network 

9 routing device; and 

10 means for matching user identifying information received from the client to a 

11 profile associated with the user that is stored in the authentication 

12 server if the source IP address fails to match the authorization 

13 information stored in the network firewall routing device. 

1 8. A system as recited in Claim 1 , wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises: 

3 means for matching a source IP address of the client in a data packet of the 

4 request to information in a filtering mechanism of the network routing 

5 device; 

6 means for matching the source IP address to the authorization information 

7 stored in the network firewall routing device if the source IP address 

8 matches the information in the filtering mechanism of the network 

9 routing device; and 

10 means for matching user identifying information received from the client to a 

11 profile associated with the user that is stored in a database server and is 

12 retrieved from the database server by the authentication server, if the 

13 source IP address fails to match the authorization information stored in 

14 the network firewall routing device. 
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1 9. A system as recited in Claim 1 , wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises: 

3 means for matching client identifying information in the request to 

4 information in a filtering mechanism of the network routing device; 

5 means for matching the client identifying information to the authorization 

6 information stored in the network firewall routing device, if a match is 

7 found using the filtering mechanism; and 

8 means used, only when the client identifying information fails to match the 

9 authorization information stored in the network firewall routing device, 

10 for: 

1 1 , creating and storing new authorization information in the 

12 network firewall routing device that is uniquely 

13 associated with the client; 

14 requesting login information from the client; 

1 5 authenticating the login information by communicating with 

16 the authentication server; and 

17 updating the new authorization information based on 

1 8 information received from the authentication server. 

1 10. A system as recited in Claim 9, wherein the means for requesting login information 

2 from the client comprises means for sending a Hypertext Markup language login form 

3 from the network firewall routing device to the client to solicit a username and a user 

4 password; and wherein the means for authenticating the login information comprises 

5 means for determining, from a profile associated with a user of the client stored in the 

6 authentication server, whether the username and password are valid. 
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1 11. A system as recited in Claim 9, wherein the means for requesting login information 

2 from the client comprises means for sending a Hypertext Markup language login form 

3 from the network firewall routing device to the client to solicit a username and a user 

4 password; and wherein the means for authenticating the login information comprises: 

5 means for retrieving a profile associated with a user of the client from 

6 a database server; and 

7 means for determining, from the profile associated with the user, 

8 whether the username and password are valid. 



A system as recited in Claim 9, the system further comprising: 

means for creating and storing an inactivity timer for each authentication cache, 

wherein the inactivity timer expires when no communications are directed 

from the client to the network resource through the network firewall routing 

device during a pre-determined period of time; 
means for removing the updated authentication information when the inactivity timer 

expires. 



1 13. A system as recited in Claim 1 , wherein the means for determining whether the client 

2 is authorized to communicate with the network resource comprises: 

3 means for matching a source IP address in the request to information in a 

4 filtering mechanism of the network routing device; 

5 means for matching the source IP address to the authorization information 

6 stored in the network firewall routing device using an authentication 

7 cache in the network firewall routing device; and 

8 means used, only when the source IP address fails to match the authorization 

9 information stored in the network firewall routing device, for: 
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10 creating and storing a new entry in the authentication, cache that 

11 is uniquely associated with the client; 

12 requesting login information from the client; 

1 3 authenticating the login information by communicating with 

14 the authentication server; and 

15 updating the new entry in the authentication cache based on 

16 information received from the authentication server. 

1 14. A system as recited in Claim 1 , Ayherein the means for reconfiguring the network 

2 firewall routing device comprises means for creating and storing one or more 

3 commands to the network firewall routing device which, when executed by the 

4 network firewall routing device, result in modifying one or more routing interfaces of 

5 the network firewall routing device to permit communications between the client and 

6 the network resource. 



A system for controlling access to a network resource, the system comprising: 

a network resource that is communicatively coupled to a network; 

an authentication server that is communicatively coupled to the network and to the 

network firewall routing device and comprising user profile information; 
a client capable of sending a request to communicate with the network resource; 
a network firewall routing device that is logically interposed between the client and 

the network resource and is capable of permitting the client to communicate 

with the network resource; 
means for creating and storing client authorization information at the network firewall 

routing device, wherein the client authorization information comprises 

information indicating whether the client is authorized to communicate with 

the network resource and information indicating what access privileges the 

client has with respect to the network resource; 
means for determining, at the network firewall routing device, whether the client is 

authorized to communicate with the network resource based on the 

authorization information; and 
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1 7 means for reconfiguring the network firewall routing device to permit the client to 

1 8 communicate with the network resource only when the client is authorized to 

19 communicate with the network resource based on the authorization 

20 information. 



A system as recited in Claim 15, wherein the client authorization information 
comprises a plurality of authentication caches, each authentication cache uniquely 
associated with one of a plurality of clients that communicate with the network 
routing device, each authentication cache comprising information indicating whether 
the client is authorized to communicate with the network resource and information 
indicating what access privileges the client is authorized to have with respect to the 
network resource. 



1 17. A system as recited in Claim 15, wherein the means for determining whether the 

2 client is authorized to communicate with the network resource comprises: 

3 means for matching client identifying information in the request to 

4 information in a filtering mechanism of the network routing device; 

5 and 

6 means for matching the client identifying information in the request to the 

7 authorization information stored in the network firewall routing device 

8 if the client identifying information in the request matches the 

9 information in the filtering mechanism of the network routing device. 

1 18. A system as recited in Claim 15, wherein the means for determining whether the 

2 client is authorized to communicate with the network resource comprises: 

3 means for matching client identifying information in the request to 

4 information in a filtering mechanism of the network routing device; 

5 means for matching the source IP address to the authorization information 

6 stored in the network firewall routing device if the client identifying 

7 • information in the request matches the information in the filtering 

8 mechanism of the network routing device; and 
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9 means for matching user identifying information received from the client to a 
10 profile associated with the user that is stored in a database server and is 

i 1 retrieved from the database server by an authentication server that is 

12 coupled to the network firewall routing device, if the client identifying 

13 information in the request fails to match the authorization information 

14 stored in the network firewall routing device. 

1 19. A system as recited in Claim 1 5 , wherein the means for determining whether the 

2 client is authorized to communicate with the network resource comprises: 

3 means for matching client identifying information in the request to 

4 information in a filtering mechanism of the network routing, device; 

5 means for matching the client identifying information in the request to the 

6 authorization information stored in the network firewall routing device 

7 using an authentication cache in the network firewall routing device; 
,8 and 

9 means, used only when the client identifying information in the request fails to 

10 match the authorization information stored in the network firewall 

1 1 routing device, for: 

12 creating and storing a new entry in the authentication cache that 

13 is uniquely associated with the client; 

14 requesting login information from the client; 

1 5 authenticating the login information by communicating with 

16 the authentication server; and 

17 updating the new entry in the authentication cache based on 

18 information received from the authentication server. 
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1 20. A system as recited in Claim 19, wherein the means for requesting login information 

2 from the client comprises means for sending a Hypertext Markup language login form 

3 from the network firewall routing device to the client to solicit a username and a user 

4 password; and wherein the means for authenticating the login information by 

5 communicating with the authentication server comprises: 

6 means for retrieving a profile associated with a user of the client from 

7 a database server; and 

8 means for determining, from the profile associated with the user, 

9 whether the username and password are valid. 

1 21 . A system as recited in Claim 1 5, wherein the client is a computer system executing a 

2 Web browser. 

1 22. A system for authentication comprising: 

2 a network resource connected to a network; 

3 a client capable of sending a request to communicate with the network resource; 

4 a network firewall routing device that is logically interposed between the client and 

5 the network resource and that permits the client to communicate with the 

6 network resource only when the client is authorized to communicate with the 

7 network resource based on client authorization information stored in the 

8 network firewall routing device, wherein the client authorization information 

9 comprises information indicating whether the client is authorized to 

10 communicate with the network resource and information indicating what 

11 - access privileges the client has with respect to the network resource; 

12 a database server that stores a plurality of user profiles, each user profile uniquely 

13 associated with one of a plurality of users that can use the client to send 

14 requests to communicate with the network resource; 

15 an authentication server that is logically interposed between the network firewall 

16 routing device and the database server, and that is capable of communicating 

17 with the database server and retrieving from the database server a user profile. 



-42- 

50325-0799 (Sequence No. 7915) 



A system as recited in Claim 22, wherein the network resource comprises a target 
server capable of servicing a request sent under at least one of HyperText Transfer 
Protocol; File Transfer Protocol; and Internet Control Message Protocol. 



1 24. A system as recited in Claim 22, wherein the client comprises a computer system 

2 executing a Web browser. 

1 25. A system as recited in Claim 22, wherein the network firewall routing device 

2 comprises: 

3 one or more processors; and 

4 a storage medium carrying one or more sequences of one or more instructions 

5 including instructions which, when executed by the one or more processors, 

6 cause the one or more processors to. perform the steps of: 

7 creating and storing the client authorization information at the network 

8 firewall routing device; 

9 receiving the request from the client to communicate with the network 

10 resource; 

11 determining whether the client is authorized to communicate with the 

12 network resource based on the client authorization information; 

13 . and 

14 permitting the client to communicate with the network resource only 

15 when the client is authorized to communicate with the network 

16 resource based on the client authorization information. 

1 26. A system as recited in Claim 25, wherein permitting the client to communicate with 

2 the network resource comprises the steps of creating and storing one or more 

3 commands which, when executed by the network firewall routing device, result in 

4 modifying one or more routing interfaces of the network firewall routing device to 

5 permit communications between the client and the network resource. 
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1 27. A system as recited in Claim 25, wherein determining whether the client is authorized 

2 to communicate with the network resource comprises the steps of: 

3 determining whether client identifying information in the request matches 

4 information in a filtering mechanism of the network firewall routing 

5 device; 

6 if a match is found using the filtering mechanism, determining whether the 

7 client identifying information matches the client authorization 

8 information stored in the network firewall routing device; and 

9 only when the client identifying information fails to match the client 

10 authorization information stored in the network firewall routing device, 

11 then: 

12 creating and storing new client authorization information in the 

13 network firewall routing device that is uniquely 

14 associated with the client; 

1 5 requesting login information from the client; 

1 6 authenticating the login information by communicating with 

17 the authentication server; and 

1 8 updating the new client authorization information based on 

19 information received from the authentication server. 



A system as recited in Claim 27, wherein: 

requesting login information from the client comprises sending a Hypertext Markup 

Language login form to the client to solicit a username and a password; and 
authenticating the login information by communicating with the authentication server 
comprises determining, from a profile that is associated with a user of the 
client and that is retrieved from the database server, whether the username and 
password are valid. 

1 29. A system as recited in Claim 22, wherein the authentication server comprises: 

2 one or more processors; and 
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3 a storage medium carrying one or more sequences of one or more instructions 

4 including instructions which, when executed by the one or more processors, 

5 cause the one or more processors to perform the steps of: 

6 receiving client identifying information from the network firewall 

7 routing device, wherein the client identifying information 

8 comprises a username and a password associated with a user of 

9 the client; 

10 retrieving a profile associated with the user from the database server; 

1 1 determining whether the username and the password in the client 

12 identifying information match the username and the password 

13 stored in the profile associated with the user; and 

14 only if a match is found, returning to the network firewall routing 

15 device information indicating that the username and the 

16 password are valid. 



A system as recited in Claim 22, wherein the database server comprises: 
one or more processors; and 

a storage medium carrying one or more sequences of one or more instructions 

including instructions which, when executed by the one or more processors, 
cause the one or more processors to perform the steps of: 

storing a profile associated with a user of the client, wherein the profile 

comprises a username and a password; and 
retrieving the profile associated with a user of the client upon a request 
from the authentication server. 
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